source: trunk/src/sh_prelude.c@ 6

Last change on this file since 6 was 2, checked in by rainer, 19 years ago

Fix to compile server with support for prelude logging.

File size: 29.6 KB
Line 
1/*
2 *
3 * Copyright (C) 2005 Yoann Vandoorselaere, Prelude IDS Technologies
4 * Rainer Wichmann
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2, or (at your option)
9 * any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; see the file COPYING. If not, write to
18 * the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
19 *
20 */
21
22/*
23 * 28/04/2005 : R.W.:
24 * move libprelude 0.8 code to seperate file
25 *
26 * 23/04/2005 : R.W.:
27 * include libprelude 0.9 code from Yoann Vandoorselaere
28 */
29
30#include "config_xor.h"
31
32#define _XOPEN_SOURCE 500 /* glibc2 needs this */
33
34#include <stdio.h>
35#include <string.h>
36#include <sys/types.h>
37
38#if TIME_WITH_SYS_TIME
39
40# include <sys/time.h>
41# include <time.h>
42
43#else
44
45# if HAVE_SYS_TIME_H
46# include <sys/time.h>
47# else
48# include <time.h>
49# endif
50
51#endif
52
53#include <unistd.h>
54#include <syslog.h>
55#include <pwd.h>
56#include <grp.h>
57
58#if defined(HAVE_LIBPRELUDE) && defined(HAVE_LIBPRELUDE_9)
59
60
61/*
62 * _() macros are samhain specific; they are used to replace string
63 * constants at runtime. This is part of the samhain stealth mode
64 * (fill string constants with encoded strings, decode at runtime).
65 */
66#define FIL__ _("sh_prelude.c")
67
68
69#include <libprelude/idmef.h>
70#include <libprelude/prelude.h>
71
72/*
73 * includes for samhain-specific functions (sl_strstr, sh_error_handle)
74 */
75#include "slib.h"
76#include "sh_cat.h"
77#include "sh_error_min.h"
78#include "sh_prelude.h"
79
80/*
81 * When SH_USE_XML is set, value are formated using name="value".
82 * Otherwise, value is formatted using the format name=<value>.
83 */
84#ifdef SH_USE_XML
85# define VALUE_DELIM_START '"'
86# define VALUE_DELIM_END '"'
87#else
88# define VALUE_DELIM_START '<'
89# define VALUE_DELIM_END '>'
90#endif
91
92#define IDMEF_ANALYZER_MODEL _("Samhain")
93#define IDMEF_ANALYZER_CLASS _("Integrity Checker")
94#define IDMEF_ANALYZER_VERSION VERSION
95#define IDMEF_ANALYZER_MANUFACTURER _("Samhain by Rainer Wichmann")
96
97#define CLASSIFICATION_URL _("http://www.la-samhna.de/samhain/")
98
99
100
101/*
102 * 0 = not initialized; -1 = failed; 1 = initialized
103 */
104static int initialized = 0;
105static int ready_for_init = 0;
106
107static char *profile = NULL;
108static prelude_client_t *client = NULL;
109
110static int severity_map[1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH] = {
111 /* 0: unused (?) */ 0,
112 /* 1: INFO */ 0,
113 /* 2: LOW */ SH_ERR_ALL|SH_ERR_INFO,
114 /* 3: MEDIUM */ SH_ERR_NOTICE|SH_ERR_WARN|SH_ERR_STAMP|SH_ERR_ERR,
115 /* 4: HIGH */ SH_ERR_SEVERE|SH_ERR_FATAL
116};
117
118/* returns 0/tiger, 1/sha1, or 2/md5
119 */
120extern int sh_tiger_get_hashtype(void);
121
122static void clear_and_set (int setpos, int flag)
123{
124 unsigned int i;
125 /* clear everywhere, and set at correct position */
126 for (i = 1; i < (1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH); ++i)
127 severity_map[i] &= ~flag;
128 severity_map[setpos] |= flag;
129 return;
130}
131
132static int set_prelude_severity_int (char * str, int prelude_sev)
133{
134 char * p = strtok (str, ", \t");
135
136 if (p) {
137 do {
138 if (0 == strcmp (p, _("alert")))
139 clear_and_set (prelude_sev, SH_ERR_FATAL);
140 else if (0 == strcmp (p, _("crit")))
141 clear_and_set (prelude_sev, SH_ERR_SEVERE);
142 else if (0 == strcmp (p, _("err")))
143 clear_and_set (prelude_sev, SH_ERR_ERR);
144 else if (0 == strcmp (p, _("mark")))
145 clear_and_set (prelude_sev, SH_ERR_STAMP);
146 else if (0 == strcmp (p, _("warn")))
147 clear_and_set (prelude_sev, SH_ERR_WARN);
148 else if (0 == strcmp (p, _("notice")))
149 clear_and_set (prelude_sev, SH_ERR_NOTICE);
150 else if (0 == strcmp (p, _("debug")))
151 clear_and_set (prelude_sev, SH_ERR_ALL);
152 else if (0 == strcmp (p, _("info")))
153 clear_and_set (prelude_sev, SH_ERR_INFO);
154 else
155 return -1;
156 p = strtok (NULL, ", \t");
157 } while (p);
158 }
159 return 0;
160}
161
162int sh_prelude_map_info (char * str)
163{
164 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_INFO));
165}
166int sh_prelude_map_low (char * str)
167{
168 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_LOW));
169}
170int sh_prelude_map_medium (char * str)
171{
172 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_MEDIUM));
173}
174int sh_prelude_map_high (char * str)
175{
176 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_HIGH));
177}
178
179static idmef_impact_severity_t map_severity (int sam_sev)
180{
181 int i;
182 int max = 1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH;
183 idmef_impact_severity_t retval = IDMEF_IMPACT_SEVERITY_MEDIUM;
184
185 for (i = 0; i < max; ++i) {
186 if (severity_map[i] & sam_sev) {
187 retval = (idmef_impact_severity_t) i;
188 }
189 }
190 return retval;
191}
192
193static char *do_get_value(char *ptr, char delim_start, char delim_end)
194{
195 char *ret = NULL;
196
197 ptr = strchr(ptr, delim_start);
198 if ( ! ptr )
199 return NULL;
200
201 ret = ++ptr;
202
203 ptr = strchr(ptr, delim_end);
204 if ( ! ptr )
205 return NULL;
206
207 *ptr = '\0';
208 ret = strdup(ret);
209 *ptr = delim_end;
210
211 return ret;
212}
213
214
215
216static char *get_value(char *msg, const char *toktmp, const char *toksuffix)
217{
218 char *ptr, tok[128];
219
220 snprintf(tok, sizeof(tok), "%s%s=", toktmp, (toksuffix) ? toksuffix : "");
221
222 ptr = strstr(msg, tok);
223 if ( ! ptr )
224 return NULL;
225
226 return do_get_value(ptr, VALUE_DELIM_START, VALUE_DELIM_END);
227}
228
229
230
231static char *get_time_value(char *msg, const char *toktmp, const char *toksuffix)
232{
233
234 char *ret, *ptr, tok[128];
235
236 snprintf(tok, sizeof(tok), "%s%s=", toktmp, (toksuffix) ? toksuffix : "");
237
238 ptr = strstr(msg, tok);
239 if ( ! ptr )
240 return NULL;
241
242#ifndef SH_USE_XML
243 ret = do_get_value(ptr, '[', ']');
244#else
245 ret = do_get_value(ptr, VALUE_DELIM_START, VALUE_DELIM_END);
246#endif
247
248 return ret;
249}
250
251
252
253
254#if 0
255void debug_print_message(idmef_message_t *msg)
256{
257 int ret;
258 prelude_io_t *fd;
259
260 ret = prelude_io_new(&fd);
261 if ( ret < 0 )
262 return;
263
264 prelude_io_set_file_io(fd, stderr);
265 idmef_message_print(idmef, fd);
266
267 prelude_io_destroy(fd);
268}
269#endif
270
271
272
273static int idmef_time_from_samhain(idmef_time_t **time, const char *str)
274{
275 int ret;
276 char *ptr;
277 time_t utc;
278 struct tm lt;
279
280 /*
281 * Samhain stamp are encoded in UTC.
282 */
283 ptr = strptime(str, _("%Y-%m-%dT%H:%M:%S"), &lt);
284 if ( ! ptr ) {
285 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
286 _("could not format Samhain time"), _("idmef_time_from_samhain"));
287 return -1;
288 }
289
290 utc = prelude_timegm(&lt);
291
292 ret = idmef_time_new_from_time(time, &utc);
293 if ( ret < 0 )
294 return ret;
295
296 return 0;
297}
298
299static void get_access_info(idmef_file_access_t *access, char * mode, int pos, int mpos)
300{
301 int got = 0;
302 int ret;
303 prelude_string_t *str;
304
305 do {
306 if ( mode[pos] == 'r' ) {
307 ret = idmef_file_access_new_permission(access, &str, -1);
308 if ( ret < 0 )
309 return;
310 prelude_string_set_dup(str, _("read"));
311 ++got;
312 }
313 else if ( mode[pos] == 'w' ) {
314 ret = idmef_file_access_new_permission(access, &str, -1);
315 if ( ret < 0 )
316 return;
317 prelude_string_set_dup(str, _("write"));
318 ++got;
319 }
320 else if ( mode[pos] == 'x' || mode[pos] == 's' || mode[pos] == 't') {
321 ret = idmef_file_access_new_permission(access, &str, -1);
322 if ( ret < 0 )
323 return;
324
325 if ( mode[pos] == 'x' && mode[0] == 'd' )
326 prelude_string_set_dup(str, _("search"));
327
328 else if ( mode[pos] == 'x' || mode[pos] == 't' )
329 prelude_string_set_dup(str, _("execute"));
330
331 else /* 's' */
332 prelude_string_set_dup(str, _("executeAs"));
333 ++got;
334 }
335 ++pos;
336 } while (pos <= mpos);
337
338 if ( got == 0 ) {
339 ret = idmef_file_access_new_permission(access, &str, -1);
340 if ( ret < 0 )
341 return;
342 prelude_string_set_dup(str, _("noAccess"));
343 }
344 return;
345}
346
347
348static void get_file_infos(idmef_target_t *target, char *msg,
349 idmef_file_category_t category)
350{
351 int ret;
352 int hashtype = 0;
353 char *ptr;
354 idmef_time_t *time;
355 idmef_file_t *file;
356 idmef_inode_t *inode;
357 prelude_string_t *str;
358 idmef_checksum_t *checksum;
359 idmef_file_access_t *access;
360 idmef_user_id_t *userid;
361 const char *suffix = (category == IDMEF_FILE_CATEGORY_CURRENT) ? "_new" : "_old";
362 char *mode = NULL;
363
364 ret = idmef_target_new_file(target, &file, -1);
365 if ( ret < 0 )
366 return;
367 idmef_file_set_category(file, category);
368
369 ptr = get_value(msg, _("path"), NULL);
370 if ( ptr ) {
371 /*
372 * In term of IDMEF, this is the full path,
373 * including the name.
374 */
375 ret = idmef_file_new_path(file, &str);
376 if ( ret < 0 )
377 return;
378 prelude_string_set_nodup(str, ptr);
379
380 ptr = strrchr(ptr, '/');
381 if ( ptr ) {
382 ret = idmef_file_new_name(file, &str);
383 if ( ret < 0 )
384 return;
385
386 prelude_string_set_dup(str, ptr + 1);
387 }
388 }
389
390 ptr = get_value(msg, _("size"), suffix);
391 if ( ptr ) {
392 idmef_file_set_data_size(file, strtoul(ptr, NULL, 10));
393 free(ptr);
394 }
395
396 ptr = get_time_value(msg, _("mtime"), suffix);
397 if ( ptr ) {
398 ret = idmef_time_from_samhain(&time, ptr);
399 if ( ret < 0 )
400 return;
401
402 idmef_file_set_modify_time(file, time);
403 free(ptr);
404 }
405
406 ptr = get_time_value(msg, _("ctime"), suffix);
407 if ( ptr ) {
408 ret = idmef_time_from_samhain(&time, ptr);
409 if ( ret < 0 )
410 return;
411
412 idmef_file_set_create_time(file, time);
413 free(ptr);
414 }
415
416 ptr = get_value(msg, _("inode"), suffix);
417 if ( ptr ) {
418 ret = idmef_file_new_inode(file, &inode);
419 if ( ret < 0 )
420 return;
421
422 idmef_inode_set_number(inode, strtoul(ptr, NULL, 10));
423 free(ptr);
424 }
425
426 ptr = get_value(msg, _("chksum"), suffix);
427 if ( ptr ) {
428 ret = idmef_file_new_checksum(file, &checksum, 0);
429 if ( ret < 0 )
430 return;
431
432 hashtype = sh_tiger_get_hashtype();
433
434 if (hashtype == 0)
435 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_TIGER);
436
437 else if (hashtype == 1)
438 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_SHA1);
439
440 else if (hashtype == 2)
441 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_MD5);
442
443 else
444 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_TIGER);
445
446
447 ret = idmef_checksum_new_value(checksum, &str);
448 if ( ret < 0 )
449 return;
450
451 /* will be freed on destroy()
452 */
453 prelude_string_set_nodup(str, ptr);
454 }
455
456 mode = get_value(msg, _("mode"), suffix);
457 if ( mode ) {
458 ret = idmef_file_new_file_access(file, &access, -1);
459 if ( ret < 0 )
460 return;
461
462 ret = idmef_file_access_new_user_id(access, &userid);
463 if ( ret < 0 )
464 return;
465 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_OTHER_PRIVS);
466
467 get_access_info ( access, mode, 7, 9 );
468 }
469
470 ptr = get_value(msg, _("owner"), suffix);
471 if ( ptr ) {
472 struct passwd *pw;
473
474 ret = idmef_file_new_file_access(file, &access, 0);
475 if ( ret < 0 )
476 return;
477
478 ret = idmef_file_access_new_user_id(access, &userid);
479 if ( ret < 0 )
480 return;
481 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_USER_PRIVS);
482
483 ret = idmef_user_id_new_name(userid, &str);
484 if ( ret < 0 )
485 return;
486
487 prelude_string_set_nodup(str, ptr);
488
489 pw = getpwnam(ptr);
490 if ( ! pw )
491 return;
492
493 idmef_user_id_set_number(userid, pw->pw_uid);
494
495 if ( mode ) {
496 get_access_info ( access, mode, 1, 3 );
497 }
498 }
499
500 ptr = get_value(msg, _("group"), suffix);
501 if ( ptr ) {
502 struct group *gr;
503
504 ret = idmef_file_new_file_access(file, &access, -1);
505 if ( ret < 0 )
506 return;
507
508 ret = idmef_file_access_new_user_id(access, &userid);
509 if ( ret < 0 )
510 return;
511 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_GROUP_PRIVS);
512
513 ret = idmef_user_id_new_name(userid, &str);
514 if ( ret < 0 )
515 return;
516
517 prelude_string_set_nodup(str, ptr);
518
519 gr = getgrnam(ptr);
520 if ( ! gr )
521 return;
522
523 idmef_user_id_set_number(userid, gr->gr_gid);
524
525 if ( mode ) {
526 get_access_info ( access, mode, 4, 6 );
527 }
528 }
529
530 if ( mode ) {
531 free ( mode );
532 }
533}
534
535
536
537static int map_policy_to_class(char *msg, unsigned long msgid, idmef_impact_t *impact, prelude_string_t *out)
538{
539 char *ptr;
540 int ret, i;
541 struct tbl {
542 unsigned int msgid;
543 const char *name;
544 idmef_impact_type_t type;
545 } tbl[] = {
546
547#ifdef SH_USE_UTMP
548 { MSG_UT_LG1X, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
549 { MSG_UT_LG1A, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
550 { MSG_UT_LG1B, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
551 { MSG_UT_LG2X, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
552 { MSG_UT_LG2A, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
553 { MSG_UT_LG2B, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
554 { MSG_UT_LG3X, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
555 { MSG_UT_LG3A, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
556 { MSG_UT_LG3B, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
557 { MSG_UT_LG3C, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
558#endif
559
560#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
561 { MSG_FI_MISS, N_("File Missing"), IDMEF_IMPACT_TYPE_FILE },
562 { MSG_FI_MISS2, N_("File Missing"), IDMEF_IMPACT_TYPE_FILE },
563 { MSG_FI_ADD, N_("File Added"), IDMEF_IMPACT_TYPE_FILE },
564 { MSG_FI_ADD2, N_("File Added"), IDMEF_IMPACT_TYPE_FILE },
565 { MSG_FI_CHAN, N_("File Modified"), IDMEF_IMPACT_TYPE_FILE },
566 { MSG_FI_NODIR, N_("File found where directory was expected"), IDMEF_IMPACT_TYPE_FILE },
567#endif
568
569#ifdef SH_USE_KERN
570 { MSG_KERN_POLICY, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
571 { MSG_KERN_POL_CO, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
572 { MSG_KERN_PROC, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
573 { MSG_KERN_GATE, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
574 { MSG_KERN_IDT, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
575 { MSG_KERN_SYSCALL, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
576#endif
577
578#ifdef SH_USE_SUIDCHK
579 { MSG_SUID_POLICY, N_("SUID/SGID File Detected"), IDMEF_IMPACT_TYPE_FILE },
580#endif
581 /*
582 * This must be the last table entry
583 */
584 { 0, NULL, IDMEF_IMPACT_TYPE_OTHER },
585 };
586
587 for ( i = 0; tbl[i].name != NULL; i++ ) {
588 if ( tbl[i].msgid != msgid )
589 continue;
590
591 idmef_impact_set_type(impact, tbl[i].type);
592 return prelude_string_cat(out, _(tbl[i].name));
593 }
594
595 /* some other message
596 */
597 ptr = get_value(msg, _("msg"), NULL);
598 if ( ! ptr ) {
599 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
600 _("could not format Samhain message"), _("map_policy_to_class"));
601 return -1;
602 }
603
604 ret = prelude_string_cat(out, ptr);
605 free(ptr);
606
607 return ret;
608}
609
610
611
612static int get_login_info(char *msg, idmef_alert_t *alert)
613{
614 int ret;
615 char *ptr, *ip;
616 idmef_user_t *user;
617 idmef_node_t *node;
618 struct passwd *pw;
619 prelude_string_t *str;
620 idmef_user_id_t *user_id;
621 idmef_address_t *address;
622 idmef_target_t *target = idmef_alert_get_next_target(alert, NULL);
623 idmef_source_t *source = idmef_alert_get_next_source(alert, NULL);
624
625 ip = ptr = get_value(msg, _("ip"), NULL);
626 if ( ptr ) {
627 if ( ! source ) {
628 ret = idmef_alert_new_source(alert, &source, -1);
629 if ( ret < 0 ) {
630 free(ptr);
631 return ret;
632 }
633 }
634
635 ret = idmef_source_new_node(source, &node);
636 if ( ret < 0 ) {
637 free(ptr);
638 return ret;
639 }
640
641 ret = idmef_node_new_address(node, &address, -1);
642 if ( ret < 0 ) {
643 free(ptr);
644 return ret;
645 }
646
647 ret = idmef_address_new_address(address, &str);
648 if ( ret < 0 ) {
649 free(ptr);
650 return ret;
651 }
652
653 prelude_string_set_nodup(str, ptr);
654 }
655
656 ptr = get_value(msg, _("host"), NULL);
657 if ( ptr ) {
658 if ( ip && strcmp(ptr, ip) == 0 )
659 free(ptr);
660 else {
661 if ( ! source ) {
662 ret = idmef_alert_new_source(alert, &source, -1);
663 if ( ret < 0 ) {
664 free(ptr);
665 return ret;
666 }
667 }
668
669 ret = idmef_source_new_node(source, &node);
670 if ( ret < 0 ) {
671 free(ptr);
672 return ret;
673 }
674
675 ret = idmef_node_new_name(node, &str);
676 if ( ret < 0 ) {
677 free(ptr);
678 return ret;
679 }
680
681 prelude_string_set_nodup(str, ptr);
682 }
683 }
684
685 ptr = get_value(msg, _("name"), NULL);
686 if ( ptr ) {
687 ret = idmef_target_new_user(target, &user);
688 if ( ret < 0 ) {
689 free(ptr);
690 return ret;
691 }
692
693 idmef_user_set_category(user, IDMEF_USER_CATEGORY_OS_DEVICE);
694
695 ret = idmef_user_new_user_id(user, &user_id, -1);
696 if ( ret < 0 ) {
697 free(ptr);
698 return ret;
699 }
700
701 idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_TARGET_USER);
702
703 pw = getpwnam(ptr);
704 if ( pw )
705 idmef_user_id_set_number(user_id, pw->pw_uid);
706
707 ret = idmef_user_id_new_name(user_id, &str);
708 if ( ret < 0 ) {
709 free(ptr);
710 return ret;
711 }
712 prelude_string_set_nodup(str, ptr);
713
714 ptr = get_value(msg, _("tty"), NULL);
715 if ( ptr ) {
716 ret = idmef_user_id_new_tty(user_id, &str);
717 if ( ret < 0 ) {
718 free(ptr);
719 return ret;
720 }
721
722 prelude_string_set_nodup(str, ptr);
723 }
724 }
725
726 ptr = get_time_value(msg, _("time"), NULL);
727 if ( ptr ) {
728 idmef_time_t *time;
729
730 ret = idmef_time_from_samhain(&time, ptr);
731 free(ptr);
732
733 if ( ret < 0 )
734 return ret;
735
736 idmef_alert_set_detect_time(alert, time);
737 }
738
739 return 0;
740}
741
742
743static int samhain_alert_prelude(int priority, int sh_class,
744 char *message, unsigned long msgid)
745{
746 int ret;
747 idmef_time_t *time;
748 idmef_alert_t *alert;
749 idmef_message_t *idmef;
750 idmef_classification_t *classification;
751 idmef_assessment_t *assessment;
752 idmef_additional_data_t *data;
753 idmef_impact_t *impact;
754 idmef_target_t *target;
755 idmef_confidence_t *confidence;
756 prelude_string_t *str;
757
758 if ( sh_class == STAMP)
759 return 0;
760
761 ret = idmef_message_new(&idmef);
762 if ( ret < 0 )
763 goto err;
764
765 ret = idmef_message_new_alert(idmef, &alert);
766 if ( ret < 0 )
767 goto err;
768
769 idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(client)), 0);
770
771 ret = idmef_time_new_from_gettimeofday(&time);
772 if ( ret < 0 )
773 goto err;
774 idmef_alert_set_detect_time(alert, time);
775
776 ret = idmef_time_new_from_gettimeofday(&time);
777 if ( ret < 0 )
778 goto err;
779 idmef_alert_set_create_time(alert, time);
780
781 ret = idmef_alert_new_classification(alert, &classification);
782 if ( ret < 0 )
783 goto err;
784
785 ret = idmef_alert_new_target(alert, &target, -1);
786 if ( ret < 0 )
787 goto err;
788
789 idmef_target_set_decoy(target, IDMEF_TARGET_DECOY_NO);
790
791 if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
792 idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
793 idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
794 }
795
796 if ( strstr(message, _("path=")) ) {
797#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
798 if ( msgid != MSG_FI_ADD && msgid != MSG_FI_ADD2 )
799 get_file_infos(target, message, IDMEF_FILE_CATEGORY_ORIGINAL);
800#endif
801
802 get_file_infos(target, message, IDMEF_FILE_CATEGORY_CURRENT);
803 }
804
805 ret = idmef_alert_new_assessment(alert, &assessment);
806 if ( ret < 0 )
807 goto err;
808
809 ret = idmef_assessment_new_impact(assessment, &impact);
810 if ( ret < 0 )
811 goto err;
812
813 ret = idmef_classification_new_text(classification, &str);
814 if ( ret < 0 )
815 goto err;
816
817 ret = get_login_info(message, alert);
818 if ( ret < 0 )
819 goto err;
820
821 map_policy_to_class(message, msgid, impact, str);
822
823#if 0
824 if ( priority == SH_ERR_SEVERE || priority == SH_ERR_FATAL )
825 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_HIGH);
826
827 else if ( priority == SH_ERR_ALL || priority == SH_ERR_INFO || priority == SH_ERR_NOTICE )
828 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_LOW);
829
830 else
831 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_MEDIUM);
832#endif
833 idmef_impact_set_severity(impact, map_severity(priority));
834
835 idmef_impact_set_completion(impact, IDMEF_IMPACT_COMPLETION_SUCCEEDED);
836
837 ret = idmef_assessment_new_confidence(assessment, &confidence);
838 if ( ret < 0 )
839 goto err;
840
841 idmef_confidence_set_rating(confidence, IDMEF_CONFIDENCE_RATING_HIGH);
842
843 ret = idmef_alert_new_additional_data(alert, &data, -1);
844 if ( ret < 0 )
845 goto err;
846
847 ret = idmef_additional_data_new_meaning(data, &str);
848 if ( ret < 0 )
849 goto err;
850
851 prelude_string_set_dup(str, _("Message generated by Samhain"));
852 idmef_additional_data_set_type(data, IDMEF_ADDITIONAL_DATA_TYPE_STRING);
853 idmef_additional_data_set_string_ref(data, message);
854
855 /* debug_print_message(idmef); */
856
857 prelude_client_send_idmef(client, idmef);
858 idmef_message_destroy(idmef);
859
860 return 0;
861
862 err:
863 idmef_message_destroy(idmef);
864 return -1;
865}
866
867
868int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid)
869{
870 int ret;
871
872 (void) msgflags; /* fix compiler warning */
873
874 if ( initialized < 0 )
875 return -1;
876
877 ret = samhain_alert_prelude(priority, sh_class, message, msgid);
878 if ( ret < 0 ) {
879 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
880 _("Problem with IDMEF for prelude-ids support: alert lost"),
881 _("sh_prelude_alert"));
882 }
883
884 return ret;
885}
886
887
888
889int sh_prelude_set_profile(char *arg)
890{
891 if ( profile ) {
892 free(profile);
893 profile = NULL;
894 }
895
896 if ( arg ) {
897 profile = strdup(arg);
898 if ( ! profile )
899 return -1;
900 }
901
902 return 0;
903}
904
905
906void sh_prelude_reset(void)
907{
908 extern void sh_error_init_prelude();
909
910 ready_for_init = 1;
911 sh_error_init_prelude();
912 return;
913}
914
915
916
917void sh_prelude_stop(void)
918{
919 if (initialized < 1)
920 return;
921 prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
922 initialized = 0;
923 return;
924}
925
926
927
928int sh_prelude_init(void)
929{
930 int ret;
931 prelude_string_t *str;
932 idmef_analyzer_t *analyzer;
933 prelude_client_flags_t flags;
934
935 if (ready_for_init == 0)
936 return initialized;
937
938 if (initialized > 0)
939 return initialized;
940
941 prelude_thread_init(NULL);
942 prelude_init(NULL, NULL);
943
944 ret = prelude_client_new(&client, profile ? profile : _("samhain"));
945 if ( ret < 0 ) {
946 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
947 _("Failed to initialize Prelude"), _("sh_prelude_init"));
948 initialized = -1;
949 return -1;
950 }
951
952 /*
953 * Enable automatic heartbeat sending.
954 */
955 flags = prelude_client_get_flags(client);
956 ret = prelude_client_set_flags(client, flags | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
957
958 analyzer = prelude_client_get_analyzer(client);
959
960 ret = idmef_analyzer_new_model(analyzer, &str);
961 prelude_string_set_dup(str, IDMEF_ANALYZER_MODEL);
962
963 ret = idmef_analyzer_new_class(analyzer, &str);
964 prelude_string_set_dup(str, IDMEF_ANALYZER_CLASS);
965
966 ret = idmef_analyzer_new_version(analyzer, &str);
967 prelude_string_set_dup(str, IDMEF_ANALYZER_VERSION);
968
969 ret = prelude_client_start(client);
970 if ( ret < 0 ) {
971 prelude_perror(ret, _("error starting prelude client"));
972
973 if ( prelude_client_is_setup_needed(ret) )
974 prelude_client_print_setup_error(client);
975
976 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
977 _("Failed to start Prelude"), _("sh_prelude_init"));
978 initialized = -1;
979 return -1;
980 }
981
982 initialized = 1;
983 return 1;
984}
985
986/* HAVE_LIBPRELUDE_9 */
987#endif
988
Note: See TracBrowser for help on using the repository browser.